[squid-users] Reverse - Apache - Syn Flood
Hi all, I want to setup Squid reverse proxy for my apache servers. But.. Can Squid protect my apache servers from Syn flood and Bot-Net attack ? or Squid drop this connection, when apache is the syn_recv ? or Squid Reverse be enough to this as resource ? or Can it be resource problem? thanks everybody.. -- Mehmet CELIK Istanbul/TURKEY
Re: [squid-users] Reverse - Apache - Syn Flood
On sön, 2008-11-02 at 20:34 +0200, Mehmet CELIK wrote: I want to setup Squid reverse proxy for my apache servers. But.. Can Squid protect my apache servers from Syn flood and Bot-Net attack ? or Squid drop this connection, when apache is the syn_recv ? or Squid Reverse be enough to this as resource ? or Can it be resource problem? syn floods isn't really a big problem with correct OS tuning, only costs memory and a little bit of CPU to deal with. You need a sufficiently large SYN backlog. This is independent of Squid, same for any TCP service. Connection flooding is worse.. and requires offending clients to be blacklisted by firewalling once identified. Hmm... we probably should do something about that in Squid as well.. there is a good beginner task for anyone interested in Squid development. http://wiki.squid-cache.org/Features/TCPAccess Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Reverse - Apache - Syn Flood
Hi all, I want to setup Squid reverse proxy for my apache servers. But.. Can Squid protect my apache servers from Syn flood and Bot-Net attack ? or Squid drop this connection, when apache is the syn_recv ? or Squid Reverse be enough to this as resource ? or Can it be resource problem? thanks everybody.. -- Mehmet CELIK Istanbul/TURKEY Squid simply acts as a speed buffer between the web and the Apache. Yes it protects the apache by taking the full brunt of the attacks away. If the flood is big enough to take down Squid, the website is still offline. Since everything has to go through squid, that is equivalent to taking out the Apache itself. What squid does in these situations is raise the maximum level at which such attack has any effect. Say your Apache can handle 500 req/sec and Squid 8000 req/sec. The attacker has to bust more than 8000 req/sec to kill the site instead of only 500. Amos
RE: [squid-users] Reverse - Apache - Syn Flood
Connection flooding is worse.. and requires offending clients to be blacklisted by firewalling once identified. If it's a botnet, there can be tens of thousands of hosts, so blacklisting can be difficult. Also, unless you have a multi-gigabit connection then they can just fill your pipe with whatever garbage they like and your only option then is to ask your ISP to try to filter it. There are also specialist anti-DDoS services with 10gig connections that act as a front end to your site to filter out the garbage then forward the real connections to you. You probably need to do a risk assesment to see whether its worth spending the money to defend against botnets.